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Under the Ansatz that the occupation times of a system with finitely many states are given by 
the Gibbs distribution, an effective temperature is uniquely determined (up to a choice of scale), 
and may be computed de novo, without any reference to a Hamiltonian for empirically accessible 
systems. As an example, the calculation of the effective temperature for a classical Bose gas is 
outlined and applied to the analysis of computer network traffic. 
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a. Introduction. It is commonplace to characterize 
communications channels and chaotic and complex sys- 
tems through the use of some type of entropy mea- 
sure. However, further dynamical characterizations are 
often discipline-specific: e.g., fidelity for quantum error- 
correcting codes, rates of divergence or Lyapunov expo- 
nents, attractor reconstruction methods, etc. [lj While 
system-specific differences are to be expected, it is always 
desirable to have more versatile tools for characterization. 
This viewpoint suggests the potential to apply fundamen- 
tal concepts from statistical physics beyond entropy that 
have yet to be developed in subject areas outside of their 
historically derived roles. Meanwhile, a common feature 
in the methods listed above (and indeed the fundamental 
property of any dynamical characterization, regardless of 
its actual purpose) is a functional dependence on the dy- 
namical time evolution. The emergence of a general dy- 
namical measure would complement the widely adopted 
class of characterizations constructed from density matri- 
ces and their ilk, of which entropies are the most promi- 
nent. An ideal candidate for such a measure is an ef- 
fective temperature [2]. We review the construction of 
such a temperature here. Its form (see equation ( ^3| ) is 
uniquely determined by the requirement of consistency 
with equilibrium statistical physics, and its applicability 
is enhanced by the virtue that it is a function only of the 
state occupation times (equivalently, the state probabil- 
ities and recurrence time). In consequence, we arrive at 
the following result of interest: rather than playing the 
role of an environmental parameter in calculations with 
detailed models, temperature can be regarded as an in- 
trinsic quantity that can be computed de novo purely on 
the basis of time averages. By closing the Gibbs relation, 
the same point of view can be extended to the state en- 
ergies. We expect that the framework presented here can 
be fruitfully applied to the analysis of generic empirically 
accessible systems. 

Our work is a natural outgrowth of several recent de- 
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velopments, one set of which is reviewed in [2]. It is now 
well known how to calculate the temperature from time 
averages for a given Hamiltonian |3], [3], 0. In a more 
abstract setting, it has also been illustrated how energies 
and probabilities or time averages suffice [6], [7]. 

The requirement of empirical accessibility for our 
framework appears to exclude much of the traditional 
domain of statistical physics from applications, but it 
also suggests completely new applications in the spirit of 
information theory, e.g. to data from networks and mar- 
kets, or more generically to large data sets. One such 
application of immediate interest is to computer network 
traffic: the use of thermal variables other than entropy 
to describe computer network traffic has been considered 
previously [8], [9]. Another area worthy of investigation 
is temperature in granular media [10] , [11] . 

b. Two sets of coordinates. Let us make it clear at 
the outset that our goal is to describe systems using the 
idiom of equilibrium statistical physics in the canonical 
ensemble. Consider a finite system with n states, with 
nonzero occupation probabilities {pk}k=i and character- 
istic recurrence time too. We begin in earnest by noting 
that we may stipulate that the (otherwise as yet unde- 
termined) state energies satisfy the zero-point constraint 

+ + = 0. (1) 

(Note that this is not the same as fixing the internal en- 
ergy.) Keeping ([TJ in mind, we introduce an empirical 
temperature parameter 8 = UbT and two sets of coor- 
dinates. The experimentalist's coordinates are given by 
the characteristic state occupation times: 

* :=(*!,..., *n), (2) 

with tk := tooPk (or in shorthand t = toop), and the 
theorist's coordinates are given by 

if :=(#!,..., E n , 9). (3) 

t-coordinates lie in X t :— {t : tk > 0, V7c}; //-coordinates 
typically (but not necessarily always [12]) lie in Xh '= 
{H : (9>0) A (E 1 +.-. + E n = 0)}. 

It is natural to ask how to transform from one set of 
coordinates to the other. The transformation from Xh 
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to X t is the usual aim of statistical physics. The main 
issue in this direction is the computation of the partition 
function, which is trivial for finite systems in the sense 
that the computation can be effected in 0(n) arithmetic 
steps. The other direction, from X t to X H , is far less 
explored: navigating it raises the prospect of bringing the 
tools of thermodynamics and statistical physics to bear 
on a host of real- world problems that may have hitherto 
appeared to lie outside their domain. 

Without any constraints (e.g., without fixing the in- 
ternal energy of the system a la Jaynes [13]), the Gibbs 
Ansatz for the state occupation probabilities is underde- 
termined, i.e., the assignment (with /3 := B -1 ) 



tk/tc 



Pk 



Pk 



/z, 



(4) 



still does not uniquely specify a point in X Hl but only a 
ray, since ct k /ctoo = tk/too and (/3/c)(cE k ) = (3E k . 

c. Preliminaries. To begin a condensation and re- 
finement of [13] . the equations ([TJ and Q imply that 
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w f-f Pk 



(5) 



and we can use this to obtain {3H = (f3Ei, . . . , f3E n , 1) 
The angle between the unit vector e@ := (0, . . . , 0, 1) : 
and H is given by 



cos 



f3H 
\0H\ 



The temperature is therefore given by 



e(t) 



\H\\ cos 



where 



1/2 
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Jfe=l 



(6) 
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To obtain 0(t), it remains only to compute ||-H"||. To do 
this we shall require two preliminary results. The first 
result is a scaling behavior of the type suggested by the 
Wick rotation/correspondence f3 it in finite temper- 
ature field theory: this will be examined from several 
points of view. The second result is a geometrical result 
called the radial foliation lemma. 

d. POV 1: dimensional analysis. It is clear from 
dimensional considerations that T = B/ks must de- 
pend on some governing parameter x besides ks and t. 
W/l/o/g, x carries units of action and may be set to h, 
so T = f(h, ks,t) for some /. Now the Buckingham II- 
theorem [15] , [16] implies that there is a non-dimensional 
function $(p) such that T 



frkstj^p), i.e. 



B = htz?*(p) 



(9) 



Therefore B scales as l/t^. Moreover, it is clear from ^ 
that using a unit of action other than h as a governing 
parameter merely amounts to a change of scale for B. 



e. POV 2: two ideal gas systems. Consider the fol- 
lowing thought experiment, in which we have two sys- 
tems, comprised respectively of finite ideal gas sam- 
ples with particle masses m and Cm, each in identical 
freefalling containers in contact with its own isotropic 
thermal bath, and with the same initial conditions in 
phase space. Insofar as the system microstates are not 
of interest in equilibrium, the systems may be respec- 
tively described by, e.g. the quintuples (m, v, too]p, P) 
and (Cm, v/C, Ct^p, C/3), where the rms velocities and 
momenta are indicated. Each system follows the same 
trajectory through phase space, albeit at rates that dif- 
fer by constant factors, and we see that B scales as 1/too 
for ideal gases, and hence (by means of a suitable cou- 
pling with an ideal gas bath) for general systems also. 

/. POV 3: extended canonical transformation. Con- 
sider a Hamiltonian H(X,P). Dilating the dynamical 
rate by a factor C has the effect that too > t'oo = too/C 
and amounts to a change of units, as it also induces the 
extended canonical transformation X i— > X' = X, P i— > 
P' = CP, H i-> H' = CH. Meanwhile, (3 i-> 0' and e~ pH 
is invariant, so it follows that (3' = /3/C and B scales as 

1/too- 

g. POV 4 : thermal time hypothesis. Let H be a 
Hamiltonian on a finite- dimensional Hilbert space. The 
thermal density matrix is uo = Z~ 1 Ti(e~^ H ), and the 
time evolution of an observable A is given as usual by 

T t (A) = e iHt/h Ae -iHt/h^ 

Now the one-parameter modular group of u that ap- 
pears in the Tomita-Takesaki theory of von Neumann 
algebras [17] can be shown to coincide with the time evo- 
lution group [18] : if s is the modular parameter and t is 
the physical time, then 



t = f3s/h. 



(10) 



In particular, s does not depend on (5. 

The thermal time hypothesis (TTH) articulated by 
Connes and Rovelli [18 (see also [19], [20], [H], [22]) 
states that physical time is determined by the modular 
group, which is in turn determined by the state. The 
TTH simultaneously inverts and generalizes the Kubo- 
Martin-Schwinger condition [23], so that temperature 
provides the physical link between time evolution and 
equilibria. Moreover, the TTH implies Hamiltonian me- 
chanics and the Gibbs postulate. Its key implication here 
though is simply (10), which implies that B scales as 

l/too- 

h. The radial foliation lemma. We now establish the 
radial foliation lemma. As mentioned after Q , the state 
probabilities are constant on rays in both X t and Xh • 
Let e!f\er H ^ denote radial unit vectors in X t and X H , 
respectively. We will make the mild assumption that any 
relevant partial derivatives exist on the interiors of X t 
and Xh- It is easy to see that 



dt = d\\t\ 



(1H 



H\\e 



i.e., one of the differentials is purely radial iff both are, 
and in such an event the probabilities remain constant; 
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likewise, one of the differentials dt, dH is purely angu- 
lar iff both are, and in such an event the probabilities 
change. We therefore obtain the lemma: that any rea- 
sonably smooth map between X t and Xh that respects 
([!]) sends rays and sphere orthants in X t to rays and 
hemispheres in Xh , respectively. 

i. The effective temperature. By the radial foliation 
lemma, \\H(t)\\ = ||JI(||£||i)|| = B(||t||i), so that 
takes the form 



0(£) = e(||t||i)cos0, 



(11) 



where 1 is the unit vector with all components equal to 
n -1 / 2 . Meanwhile, the form implied by the scaling be- 
havior of G w/r/t for the term (||£||l) on the RHS 
of (TTTI) is 



e(\\t\\i 



K/\\t\ 



(12; 



where K is a fixed constant with dimensions of action 
(say, h) whose value we may set to unity w/l/o/g. 

In the language of an earlier paper [9] , ( |l2| is a topolog- 
ically admissible uniform temperature map. This means 
first that the LHS of ( p"2| ) is bijective in ||£||, which is es- 
sentially the zeroth law of thermodynamics, and second 
that 0^0 (resp., 00) as t^ — > 00 (resp., 0). Combined 
with bijectivity, this implies in particular that the LHS 
of (12) must be monotone decreasing in ||£||. 



Combining ^ and (12) using (11) leads to a simple 
formula for 0: 



e(t) 



K 



£00 P 



n / n \ 
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(13) 



j. Temperature of a classical Bose gas. We now con- 
sider the example of a classical Bose gas [24] . (The equiv- 
alent system in queueing theory is known as a Gordon- 
Newell or closed Jackson queue [25], [26], and similar 
but distinct model physical systems include generalized 
Ehrenfest models [27], [28] .) The gas consists of b par- 
ticles with B internal states in continuous time, where 
the particles independently execute state transitions. A 
microstate of the gas (versus a state of a single particle) 
is given by an element of the space X = X B ,b '•= £ 
7L B : (\a\ = b) A (a > 0)}, where we employ standard 
notation for multi-indices. 

Write qj for the transition rate from the jth (internal 
particle) state, and write Rjk for the probability of a 
particle transition to the kth state from the jth state. 
For j 7^ k, the probability that a particle attempts to 
transition from state j to state k (regardless of whether 
or not any particles are actually in state j) is then given 
in the limit by 



lim 

At^O 



(a 



At 



ej + e k 



At 



QjRjk. 
(14) 

Now R is a stochastic matrix and (we shall assume it 
to be irreducible, so that) it possesses a unique invariant 
distribution satisfying tt = ttR. Set rjj := Kj/qj. It is not 
hard to show (see appendix) that the induced invariant 
distribution on 5 is of the form 



P(a)= V a /z( V ). 



(15) 



z is a so-called complete homogeneous symmetric func- 
tion. It can be shown (see e.g. exercise 7.4 of [29], al- 
though this result is apparently not well known in either 
the physics or queueing theory literature) that 



*(»/) = E 



(16) 




if the components of r\ are distinct. By omitting duplicate 
components and reducing B accordingly, the appropriate 
generalization of (16) follows. 

Write d(J) := {a : aj = <^=> j G J} and J(#j) 
./. Now the recurrence time is given by the average in- 
verse net transition rate, viz. t^ = J2 a a )i 
where the net transition rate at a £ d(J^) is given in 
turn by X(q,a) = X(q,J( d )) : = Qj, i- e -> the net 

transition rate is constant on each "facet" d(J^)) °f X. 
Thus 
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(17) 
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FIG. 1: Contour plot of (the logarithm of) for a two-state 
system as a function of the occupation times, with £00=^! + 
ti. The picture in higher dimensions is qualitatively similar. 



and the RHS can be evaluated using (|16j). 

If p denotes the invariant distribution on X, then 
a brief calculation yields ||p|| = z l ^ 2 (r} 2 ) / z{rf). More- 
over, |5| yields (3E a = (a — a, log 77), where a := 
Z W ~ l z2 a a an d ^ ne logarithm is taken componentwise. 
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In order to obtain a closed- form expression for B, it is 
necessary to evaluate the sum J2 a (0E a ) 2 m c l° se d form. 
It is easy to see that this reduces to evaluating J2 a ( a i 
for h a generic B-tuple. This can in turn be accomplished 
given a formula for J]fc=o ^ w { S ~k k ) with s, u, w integral: 
and this may finally be obtained by writing k w as a linear 
combination of binomial coefficients and considering the 
sums Y,t=o { k v )( S t k ) for < v < w [30J. The relevant 
calculations are performed in an appendix. 

So, can be evaluated in closed form for the closed 
queue along the lines sketched above. The final result 
has a lengthy and unenlightening expression, and so we 
content ourselves here with the simple case of B = 2 and 
b > 1. Writing r := R21/R12, we have that for b large (so 
that finite size effects do not dominate) and #2 = 1 (and 
in fact more generally) , G is greatest when the dynamics 
approaches that of an unbiased random walk: here, this 
is when q± ~ r. 
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FIG. 2: Psuedo-grayscale plot of log 6 for B = 2 and b = 
2, 4, 8, 16 as a function of r and q\ with qi = 1. 

k. Discussion. We shall make a few general points 
before proceeding with a further application to computer 
network traffic monitoring. 

First, if the system under consideration is not station- 
ary, so that {pk} and t^ vary with time (but are pre- 
sumably still well-defined), then so will 8 and {Ek}, but 
the language of equilibrium statistical physics is still ad- 
equate even if the system is not actually in equilibrium. 
That is, there is no need for (e.g.) detailed balance or 
a maximum-entropy variational principle to be satisfied 
in order for 8 to be well-defined: equation ( fl3| can be 
taken as an extension of the language of equilibrium sta- 
tistical physics. Though the details of how {pk} and t^ 
should be calculated from theory or estimated from mea- 
surements are important and nontrivial, these may be ne- 
glected here. Once we have {pk} and t^, we may treat 
the system at any instant as if it were in a stationary 
state of equilibrium. 

Second, many systems of interest in statistical physics 
are specified by an energy function (in which case there 



is usually no need for the formalism in this paper) , rather 
than some more detailed rule such as a bona fide Hamil- 
tonian system that allows us to compute the dynami- 
cal evolution of the system and its characteristic recur- 
rence time. A notable exception is the Ising model with 
Glauber dynamics, and the application of the formula 
(13) to a Glauber spin is discussed elsewhere [31]. 

Third, it is not obvious how to generalize this frame- 
work to systems whose state space Y has infinite mea- 
sure. However if Y is endowed with an appropriate fi- 
nite measure 11 (as when for example Y is naturally re- 
alized as a bounded set in M, N with smooth boundary, 
and ji is induced from Lebesgue measure), the adapta- 
tion is comparatively straightforward provided that t^ 
is well defined and p and \ogp are in L 1 Pi L 2 , since 
\\PE\\ 2 = lllogpll 2 - ^ JrlogpdM- 

Fourth, the vast majority of finite systems of potential 
interest are amenable to measurement first, and calcu- 
lation second, if at all. This raises the prospect of us- 



ing (13) as a tool for data analysis in the same spirit 
as entropies are often employed. The potential to ap- 
ply similar ideas to computer network traffic has been 
considered by others (see, e.g. [8]) and an application is 
sketched below. 

Finally, in those cases where we can measure every- 
thing, it is still possible and generally also preferable to 
deal with coarsened quantities instead. Then the problem 
of determining a proper coarsening to work with arises. 
This is a direct analogue of the Gibbs paradox (where 
the value of the entropy depends on the level of descrip- 
tion of the system). [32] In applications such as the one 
considered below, these sorts of issues will typically loom 
large. 

/. Application to computer network traffic analysis 
and characterization. The Bose gas framework can be 
applied to traffic analysis provided that each of the 
B states corresponds to a (type of) source or desti- 
nation in a communications or other network. Time- 
inhomogeneous rates qj and probabilities Rjk can be 
readily estimated from the number of connections with 
origin (type) j and destination (type) k, and this pro- 
cedure in effect couples the traffic to a Bose gas. [9] 
In general, most traffic data sets of interest will have a 
large number of physical or logical addresses and addi- 
tional metadata which must be aggregated in order to 
provide a meaningful context for the traffic and to keep 
B reasonably small. A simple example of this sort of ag- 
gregation for computer network traffic will be sketched 
below. 

Both the Gibbs paradox and the renormalization group 
inform the aggregation process. By effectively separating 
both internal levels of description and external scales, the 
bulk traffic can generally be understood using relatively 
few parameters, and traffic exhibiting greater complex- 
ity can be examined separately and in more detail. The 
assertion that bulk traffic can be described with a few 
parameters amounts to saying that the bulk traffic is un- 
derstandable in the first place, and can be expected to 
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follow from the fact that a communications or other net- 
work of interest for traffic analysis is engineered (even 
if the engineering process is distributed or collaborative) 
and its general function is knowable at the outset. 

The separation of external scales is essentially the con- 
verse of data fusion, where the idea is to identify states at 
different sensors in an appropriate fashion and compute 
the corresponding fused rates q and probabilities R. In 
practice this procedure may be easier than it might seem 
at first. For example, each of several streams of multi- 
plexed computer network traffic may be best examined 
using the same source/destination types, with identically 
defined tables of observed ports, network addresses, or 
communications sockets that are individually populated 
on a per- stream basis. In this case the states for each 
traffic stream are identical, and if the ath stream has 
transitions from state j to state k during the time 

interval [t, t + At), then setting Njk := J2 a anc ^ ( a ^ _ 
ter suitable conditioning if necessary) qj := ^2 k Njk/At 
and Rjk '= ^jk/J2k ^jk effects a simple data fusion pro- 
cedure. Note that (all other things being equal) the ef- 
fective temperature of data fused in this way will scale as 
the number of fused traffic streams, but this scaling can 
be offset by dividing qj by the number of fused streams. 

In order to keep the remainder of the discussion nom- 
inally self-contained, we provide a brief overview of the 
types of computer network traffic considered here. For 
more information on network protocols, see [33] . 

The Internet Protocol (IP) is a connectionless network- 
layer protocol responsible for routing network packets be- 
tween sources and destinations. The Internet Control 
Message Protocol (ICMP) is a network/transport-layer 
protocol, though ICMP messages are encapsulated within 
IP datagrams. Comforming ICMP messages can be cate- 
gorized as either requests, responses, or errors. The User 
Datagram Protocol (UDP) is a connectionless transport- 
layer protocol, commonly associated with the Domain 
Name Service (DNS), Simple Network Management Pro- 
tocol (SNMP), streaming media (e.g., voice over IP), etc. 
Although UDP is connectionless, notification of packet 
reception errors over ICMP is a common protocol behav- 
ior (though its enabling or disabling depends on local net- 
work policy) . Therefore it is often appropriate to analyze 
UDP and ICMP in the same framework. Towards that 
end, and after analyzing benign UDP and ICMP traffic 
from an independently operated gigabit network testbed 
simulating a large network enclave connected to the in- 
ternet, an exhaustive set of states that reflected the bulk 
features of the network traffic source / destination pair at- 
tributes was formulated. 

Each UDP or ICMP packet, along with its encapsulat- 
ing IP header, corresponds to an attempted state tran- 
sition of a single-particle Bose gas. (Multi-particle Bose 
gases may also be considered; however, increasing the 
particle number can increase both artificial "crosstalk" 
[which may or may not be desirable] and noise.) IP 
addresses along with UDP ports or ICMP types corre- 



sponding to well-known services, ephemeral client-side 
connections, or message types were considered as source 
and destination attributes defining the internal states 
according to the figure below. The Bose gas statistics 
were autonomously updated approximately every second 
(a "stopping time" update protocol that bounds update 
intervals from below was actually used). 




FIG. 3: Packet classification tree for source and destination 
types. "X" is a shorthand for "other"; "Q", "R" , and "E" for 
ICMP requests, responses, and errors, respectively. Although 
not done for the data presented here, it is convenient for a 
number of reasons to force ICMP with source attributes in- 
volving X to have destination attributes involving E and vice 
versa, and similarly for Q and R. Also note that the set of 
states is automatically exhaustive by virtue of the tree struc- 
ture. 

Sophisticated classes of internal states can be defined 
and implemented, e.g., "IP address inside the network 
and present in observed traffic between 1 and 10 times 
during the last approximately 5 seconds; UDP port not 
present in observed traffic during the last approximately 
1 minute", but the dynamic nature of such states effec- 
tively precludes the sort of analysis presented here, which 
relies on memoryless source/destination types. 

The bulk of benign UDP and ICMP traffic was DNS, 
and the well-known Slammer worm was introduced onto 
the testbed during the time interval indicated by the 
shaded areas on the following figures. Although the traf- 
fic levels associated with the worm were found to be an 
order of magnitude greater than the benign traffic, the 
concomitant source and destination state pairs were dis- 
tinct from the benign traffic in such a way as to enable 
the determination of temperature (as well as entropy) 
characteristics based on the presence of all, a portion, 
or none of the worm traffic. (Furthermore, a slight but 
detectable change in the effective temperature slightly 
preceded the corresponding change in traffic rate.) This 
in turn allowed us to determine that the effective tem- 
perature was significantly more robust as a discriminator 
of the worm activity than the entropy, as demonstrated 
by the simple expedient of removing the ICMP errors 
caused by the worm (and responsible for roughly half of 
the offending traffic) as well as varying amounts of the 
actual worm traffic itself via post-processing. 

At a finer level of detail, anomalous network activity 
was detectable through analysis of certain of the power 
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FIG. 4: Effective temperature of a one-particle Bose gas 
coupled to a network testbed. The period of Slammer worm 
activity is highlighted. Time in this and similar figures is in 
hours. 
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where V • Wj =W = Y, a P^E a and 
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In particular, we show two of the integrated compo- 
nents for testbed UDP/ICMP traffic with all the periods 
of malicious activity on the testbed highlighted. The 
worm corresponds to the penultimate period, a set of 
scans to the period before that, and the remainder of 
periods to other types of malicious traffic, generally in- 
volving a handful of packets. The components shown 
below are significantly more effective discriminators of 
anomalous activity than most others. 
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UDP/ICMP without ICMP errors or UDP from external addresses on "other" ports 
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FIG. 5: Entropy of a one-particle Bose gas coupled to a 
network testbed. The period of worm activity is highlighted. 
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FIG. 6: Signal to noise ratio behavior of the effective tem- 
perature. 



FIG. 7: A work component of the one-particle UDP Bose 
gas. Each of the larger spikes in this or similar figures either 
occurred simultaneously with a malicious packet or at a time 
for which log file data from the testbed was later found to be 
unavailable. 

Next, we show two of the more effective integrated 
components for testbed Transmission Control Protocol 
(TCP) traffic, with a similar classification scheme in 
which mail, web, FTP, and two other service ports were 
differentiated; all other low ports were aggregated, as 
were all high ports. To accommodate the static nature 
of these decision tree nodes for analytical purposes, FTP 
sessions from high ports to high ports were disabled, 
though a tree node taking recent IP addresses into ac- 
count would more than compensate for any effects of this. 

In particular, the lack of accounting for connection or 
flow status (TCP is a connection-oriented protocol), ad- 
dress and/or port frequencies, the number of bytes trans- 
ferred, TCP sequence and acknowledgement numbers, 
etc. means that malicious traffic directed at internal web 
or email servers from outside the enclave would gener- 
ally be difficult to distinguish from genuinely anomalous 
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FIG. 8: Another work component of the one-particle UDP 
Bose gas. 
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FIG. 9: A work component of the one-particle TCP Bose gas. 
The lack of activity during some periods of malicious traffic 
besides the worm interval can be attributed to the simple 
memoryless nature of the classification procedure used here. 
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FIG. 10: Another work component of the one-particle TCP 
Bose gas. 



or malicious traffic directed to internal addresses on web 
or email ports, but that is only due to the simple na- 
ture of the classification tree in this example. In practice 
it would generally be advantageous to separate web and 
email traffic into streams for detailed analysis (possibly 
including states tied to the application layer of the proto- 
col stack) , or at least to treat web and email servers differ- 
ently in the source/destination type association scheme. 

Although such a procedure was not carried out 
here (partially in order to keep the analysis pre- 
sented here comparatively straightforward) , note that the 
UDP/ICMP and TCP work components here combine to 
unambiguously indicate malicious activity in each of the 
highlighted periods through a simple thresholding pro- 
cedure. During those periods where sufficiently accurate 
logs detailing the malicious traffic were available (the en- 
tire period for UDP/ICMP and the last period of mali- 
cious traffic for TCP) each of the values of these work 
components above appropriate thresholds occurred at a 
timestamp for malicious activity. While this sort of ap- 
proach does not in itself determine the difference between 
malicious and anomalous traffic, an interactive visual 
traffic analysis engine and autonomous offloaded domain- 
specific methods can both aid the characterization of nor- 
mal traffic and perform more contextual analysis of any 
anomalous traffic. [34] This suggests the possibility of 
a practical technique for network traffic monitoring that 
incorporates interactive configuration (i.e., refinements 
of classification trees combined with separation of traf- 
fic streams and timescales, all mediated through queries 
of, e.g., the routing time series Rjk down to the level 
of individual transactions) followed by automated detec- 
tion with low computational requirements and attractive 
performance characteristics. 

m. Conclusion. Our discussion turns at last to a few 
concluding remarks. Though the usual state of affairs is 
for temperature to be regarded as an environmental pa- 
rameter in calculations, the logic can be turned on its 
head: through the simple expedient of measuring occu- 
pation times, we can directly obtain an effective temper- 
ature (and the corresponding energy levels) of a finite 
system without recourse to a Hamiltonian, and typically 
using appropriate observables of our choosing. Without 
a Hamiltonian, we cannot predict the system's exact mi- 
croscopic evolution, but we can still efficiently describe 
the macroscopic evolution using the idiom of equilibrium 
statistical physics. It is desirable to describe systems in 
this way precisely because this approach has proven so 
successful at ignoring irrelevant microscopic details while 
still providing the most relevant information about a sys- 
tem. While a proper interpretation of an effective tem- 
perature in purely information-theoretical terms is not 
yet known (and a recent philosophical study of thermom- 
etry notes that "[in] fact, there are complicated philo- 
sophical disputes about just what kind of quantity tem- 
perature is" [35]), we believe that the connection between 
information theory and statistical physics may eventu- 
ally be extended to encompass temperature and energy 
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as well. 



where 



APPENDIX A: EVALUATING A CERTAIN SUM 



Let h G and consider the sum 



(Al) 



We have that 



E< a - ft > 2 = E h ) E a ) + E h i hk J2 a i ak ' ( A2 ) 

a. j ol j^k OL 

so in order to evaluate the LHS it suffices to compute 



o 2 



E«, 2 



and 



an := ^<x,a fc (j ± k) 



(A3) 



(A4) 



(note that there is no real dependence on j or k in the 
RHS of either of the preceding two equations). 

The cr-coefficients can be readily evaluated by first 
evaluating sums of the form 



E 

k=0 



r + k 
k 



(A5) 



with p a positive integer. This in turn is accomplished by 
writing k p as a linear combination of binomial coefficients 
and considering 



E 

k=0 



k\ (r + k 



q) V k 



(A6) 



for < q < p [30 . The relevant results of this procedure 
for the present purpose are 



E 

k=0 



r + k\ fn + r + l 
r + 1 



k=0 



r + k 
k 



£*r ;."] = (r + i) 



n + r + 1 
r + 2 



(A7) 



(A8) 



and 

n 

E* 

fc=0 



2,r + fcl -((r + 2)n + l) 



r + 1 /n + r + T 

/c y vv ' _/ " ' _/ r + 3 V ^ + 2 

(A9) 

Some wholl y elementa ry but tedious manipulations us- 
ing equations ( |A7| )-( A9) along with the fact that z(l) = 
1 = ( B+ b~ ) quickly lead to the results 



o 2 



5 + 26-1 
6-1 



-an 



(A10) 



Oil 



5 + 6-1 
5 + 1 



(ah; 



We will briefly outline these manipulations wh ile om it- 
ting a few trivial steps for the case of equation (A10). 
Now 



(72 = ^2&i = £ a l Z B-l,b-a 1 W, 
ol a±=0 



(A12) 



SO 



E 



cr 2 = > s 

s=0 



5 -2+6- s 
b-s 



r + m 



??? 



(A13) 

where we have made the substitutions r := B — 2,m := 
6— s. Expanding the squared term and using the forumlae 
above before undoing the substitutions yields 

l2 /5 + 6-l\ M L/ „ oAA 5- 1/5 + 6-1 



Finally, a few lines of algebra yields the result (A10). 
Equation (All) follows similarly. 



Summarizing, we have that (Al) equals 



5 + 6-1 
5 + 1 



APPENDIX B: INVARIANT DISTRIBUTION OF 
THE CLASSICAL BOSE GAS 

If Q is the generator of a well-behaved continuous-time 
Markov process on a finite state space, its invariant dis- 
tribution p is the unique solution of the eigenproblem 
pQ = satisfying |p| = 1. 

In the case of the classical Bose gas, the nontrivial 
entries of the generator are given by ( 14 ) . Define 



0(a) := {(j, k) : j ^ k A a - e d + e k e X B , b } (Bl) 

and note that ()(a) = {(j, k) : j ^ k A ctj ^ 0}. Since the 
rows of the generator must sum to zero, we have 

Qa,a — ^ ^ Qa,a — ej-\-ek = ^ ^ QjRjk- (B2) 

(j,k)eO(a) (j,k)E0(a) 



Now (pQ) a = iff 

PaQcx,cx ^ ^ Pai—ej-\-ekQoi—ej+ek,ai 

(j,fc)G0(a) 



(B3) 



or equivalently 

^5 fcj , (B4) 

(i,fc)eO(a) U,k)eO((x) 
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Under the Ansatz p a = r] a / 'z, this takes the form 
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q i R i k = ~^ kRk 3- ( B5 ) 



(j,k)eO(a) 



(j,k)eO(a) 



Vj 



Writing the summation indices explicitly and recalling 
that r] = 7r/q, we obtain 



^^2 R jk= ^.H 71 ^ 



(B6) 



j:oij^0 k^j j-otj^O J fc#j 

Using ttR = it and J2k^j R jk — 1 — Rjj this simplifies to 



Qj( 1 - R n)= ^jO-Rjj 

• ~.^n „-.„.^n '13 



(B7) 



At this point equality is clear, establishing that p a 
r] a /z is in fact the invariant distribution. 
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